It is becoming increasing more difficult to spot malicious emails, however by training your staff on what to look for you can reduce the chances of becoming a victim. Security awareness training is not a one off – lunch and learn series – but rather a continuous training method. The training should focus on not just how to spot phishing email, but also texts, as well as safe browsing.

You can run a quick check to see how many would be susceptible to a phishing email by performing a free phish test, in addition you can perform a domain spoof test to see if threat actors can spoof an email within your domain.

UK senior decision makers believe younger workers are the biggest risk to cyber security, but are doing little to support them and reduce that risk, a report reveals

More than a third of senior executives believe that younger employees are the “main culprits” for data security breaches in the workplace, a study shows.

However, the same decision makers are doing very little to allay their own fears, with more than a third of 18 to 24 year olds able to access any files on the company network, and less than half (43%) have access only to the files that are relevant to their work.

These are the main findings of an independent study into attitudes to security of the next generation workforce, commissioned by security firm Centrify.

The study, conducted by Censuswide, sought the views of 1,000 next generation workers (18-24 year olds) and 500 decision makers in UK organisations.

The study examines how security, privacy and online behaviour at work impacts the lives of younger employees and the companies that they work for.

Password sharing tops the list of what keeps decision makers awake at night (56%), but 29% of younger workers reveal that they are in the driving seat when it comes to password changes, with their employers leaving it to them to decide when they need a password change. Furthermore 15% admit to sharing passwords with colleagues.

Asked how younger employees could negatively impact the workplace, 47% of decision makers worry about them sharing social media posts and the impact these could have on brand and reputation.

These concerns appear well founded with one in five workers saying they are not bothered about how their social media activity might affect their employers and 18% admitting that their posts could compromise employers’ security and privacy policies.

However, less than half say their company has social media guidelines in place, highlighting the need for strong social media access controls that follow the principles of a zero-trust approach to security, which assumes that users inside a network are no more trustworthy than those outside the network.

The “always on” approach to technology of younger workers with no experience of an off-line world, further reinforces the need for robust security policies, the study report said. When it comes to this generation of workers, 40% of decision makers are concerned about their misuse of devices, while 35% say they are too trusting of technology and 30% worry they share company data too easily.

While 79% of decision makers report having a strong security policy in place and 74% of them think that their employees abide by it, over a third (37%) feel that young workers are too relaxed about security policies.

Awareness of the dark web

Decision makers also say the next generation of workers have a good awareness of the dark web (87%), underground hacking (79%) and crimeware. And although around half (48%) say they have strict guidelines in place for employees accessing these new “dark arts”, 39% feel they could be better.

“Some may think of younger workers as always online, always ready to share information and perhaps not being as concerned about privacy or security as perhaps older workers, but we must remember they are the business leaders of tomorrow and we must help not hinder them,” said Barry Scott, chief technology officer for Europe at Centrify.

“While it’s clear that employers are concerned about this new generation entering the workforce – and see them as a potential risk to both the business and brand – these same companies are perhaps guilty of not putting in place the right security processes, policies and technologies.

“If you give employees access to any information at any time from any place, or fail to enforce strict password and security policies, they are likely to take full advantage, putting both their own jobs at risk as well as the company itself,” he said.

According to Scott, the study shows it is time to discard the old castle and moat model of “trust but verify” because it does not work in today’s mobile-first, cloud-enabled world where employees can be anywhere and work on multiple devices.

“Traditional network perimeters are dissolving and security professionals must adopt a zero-trust security approach that assumes bad actors are already on the network,” he said. “With zero-trust, we verify every user, validate their device and limit their access to only the resources they need, and use machine learning to ensure the resulting improved security has no impact on efficiency.

“Let’s be clear that zero-trust is not saying we’ve lost trust in our employees, it actually provides an enabler to allow them to work exactly the same way wherever they are, and provides the company with a stronger security posture.”

Extra mentoring needed

The study report concludes that while managers’ assumptions that next-generation workers are the root of cyber security problems in the workplace may be overstated, there are some areas, such as social media use and password management, where younger workers do need extra mentoring.

Decision makers can do more to address this problem, the report said, by putting technical controls in place, refining security policies and communicating them effectively to employees.

However, according to the report, leadership and the need for decision makers to set a good example are equally important. “If managers can demonstrate a commitment to security through their own policies and actions, then the next-generation workforce will surely follow,” the report said.

End-users can be the weakest link in your infosec defense. But according to KnowBe4 founder and CEO Stu Sjouwerman, there is something you can do about that – if you implement the right behavioral diagnostics and focus your training needs on individual users’ actual weaknesses.

In its State of Cybersecurity 2018 research study just released, ISACA reveals that last year, 62% of respondents experienced a ransomware attack, compared to 45% this year — a 17-point drop.

According to ISACA, the drop in ransomware attacks is likely because organisations are significantly better prepared after last year’s WannaCry and NotPetya attacks, with 82% of respondents saying that their enterprises now have ransomware strategies in place. In addition, 78% said they have a formal process in place— up 25-points from last year.

“While these findings are positive, the data show that ransomware attacks may have been displaced by cryptocurrency mining, which is becoming more frequent,” said ISACA.

“Cryptocurrency mining malware can operate without direct access to the file system, making them harder to detect—and as the prices of cryptocurrencies increase, the economics of cryptocurrency mining malware becomes better for the attacker.

“Additionally, the three most common attack vectors remain unchanged from last year – phishing, malware and social engineering.”

The research also shows that 50% of the 2,366 security leaders surveyed have seen an increase in cyberattack volumes relative to last year and, in addition, 80% of respondents said they are likely, or very likely, to be attacked this year — a statistic that ISACA says remains unchanged from last year’s study.

According to ISACA, active defence strategies are highly effective, but underutilised.

The research also found that nearly 4 out of 10 respondents (39%) are not at all familiar or only slightly familiar with active defence strategies (e.g., honeypots and sinkholes), and of those who are familiar with active defence strategies, just over half are actually using them.

“This is a missed opportunity for security leaders and their organisations,” said Frank Downs, director of cybersecurity at ISACA.

“ISACA’s research indicates that active defence strategies are one of the most effective countermeasures to cyberattacks. A full 87% of those who use them indicate that they were successful.”

The ISACA report suggests enterprises must be better prepared with focused attention on several areas, and makes several recommendations, including:

Investing in talent—With attacks still on the rise, enterprises must continue to invest in finding, retaining and training skilled cyber security professionals

Exploring further automation benefits—Enterprises should consider automation-driven strategies and tools for detection and to support recovery and response efforts

Ensuring appropriate investment in security controls—With attack vectors (phishing, malware and social engineering) minimally changing, existing control types are still valid and useful. Enterprise investment and attention to security controls should increase in line with the frequency of these attack vectors.

Businesses and consumers around the world are encouraged to adopt two-factor authentication as a means of strengthening login security. But 2FA isn’t ironclad: attackers are finding ways to circumvent the common best practice. In this case, they use social engineering.

A new exploit, demonstrated by KnowBe4 chief hacking officer Kevin Mitnick, lets threat actors access target accounts with a phishing attack. The tool to do this was originally developed by white hat hacker Kuba Gretzky, who dubbed it evilginx and explains it in a technical blog post.

It starts with typosquatting, a practice in which hackers create malicious URLs designed to look similar to websites people know. Mitnick starts his demo by opening a fake email from LinkedIn and points out its origin is “llnked.com” – a misspelling people will likely overlook.

Those who fall for the trick and click the email’s malicious link are redirected to a login page where they enter their username, password, and eventually an authentication code sent to their mobile device. Meanwhile, the attacker can see a separate window where the victim’s username, password, and a different six-digit code are displayed.

“This is not the actual 6-digit code that was intercepted, because you can’t use the 6-digit code again,” Mitnick says in the demo. “What we were able to do was intercept the session cookie.”

With the session cookie, an attacker doesn’t need a username, password, or second-factor code to access your account. They can simply enter the session key into the browser and act as you. All they have to do is paste the stolen session cookie into Developer Tools and hit Refresh.

It’s not the first time 2FA has been hacked, says Stu Sjouwerman, founder and CEO at KnowBe4. “There are at least ten different ways to bypass two-factor authentication,” he explains in an interview with Dark Reading. “They’ve been known about but they aren’t necessarily well-published … most of them are flying under the radar.”

These types of exploits are usually presented as concepts at conferences like Black Hat. Mitnick’s demo puts code into context so people can see how it works. This can be used for any website but an attacker will need to tweak the code depending on how they want to use it.

To show how the exploit can make any site malicious, Sjouwerman sent me an email tailored to look like it came from Kelly Jackson Higgins, reporting a typo in an article of mine:

When I clicked the link, I ultimately ended up on Dark Reading but was first redirected to a site owned by the “attacker” (Sjouwerman). In a real attack scenario, I could have ended up on a truly malicious webpage where the hacker could launch several different attacks and attempt to take over my machine. Sjouwerman sent a screenshot of what he saw while this happened:

Event types go from processed, to deferred, to delivered, to opened.

“You need to be a fairly well-versed hacker to do this – to get it set up and have the code actually working,” he notes. This is a one-on-one attack and can’t be scaled to hit a large group of people at the same time. However, once the code works, the attack is fairly simply to pull off.

“You need to have user education and training, that’s a no-brainer, but you also have to conduct simulated phishing attacks,” Mitnick says in his demo.

Sjouwerman emphasizes the importance of putting employees through “new school” security awareness training, as opposed to the “death by PowerPoint” that many employees associate with this type of education. Instead of putting them through presentations, he recommends sending them phishing attacks and conducting online training in the browser.